The US has several sector-specific and medium-specific national privacy or data security laws, including laws and regulations that apply to financial institutions, telecommunications companies, personal health information, credit report information, children's information, telemarketing and direct marketing.

The US also has hundreds of privacy and data security among its 50 states and territories, such as requirements for safeguarding data, disposal of data, privacy policies, appropriate use of Social Security numbers and data breach notification. California alone has more than 25 state privacy and data security laws, including the recently enacted California Consumer Privacy Act of 2018 (CCPA), effective January 1, 2020. The CCPA applies cross-sector and introduces sweeping definitions and broad individual rights, and imposes substantial requirements and restrictions on the collection, use and disclosure of personal information, which is very broadly defined as explained below.

In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices. The FTC uses this authority to, among other things, issue regulations, enforce certain privacy laws and take enforcement actions and investigate companies for:

Failing to implement reasonable data security measures

Making materially inaccurate privacy and security representations including in privacy policies

Failing to abide by applicable industry self-regulatory principles

Transferring or attempting to transfer personal information to an acquiring entity in a bankruptcy or M&A transaction, in a manner not expressly disclosed on the applicable consumer privacy policy

Violating consumer privacy rights by collecting, using, sharing or failing to adequately protect consumer information, in violation of the FTC’s consumer privacy framework or certain national privacy laws and regulations

Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states.

As illustrated above, US privacy law is a complex patchwork of national privacy laws and regulations that address particular issues or sectors, state laws that further address privacy and security of personal information, and federal and state prohibitions against unfair or deceptive business practices. While this chapter provides an overview of US national and state privacy and security laws and highlights key aspects of such laws, these laws are too diverse to summarize fully. Further, US privacy law is currently in flux—in 2019, the California Attorney General will be issuing CCPA regulations and several other states are expected to pass significant privacy laws. While support is growing for a comprehensive, national privacy law that would supersede and preempt state privacy laws, it is unlikely such a law will be adopted in 2019.

The US has several sector-specific and medium-specific national privacy or data security laws, including laws and regulations that apply to financial institutions, telecommunications companies, personal health information, credit report information, children's information, telemarketing and direct marketing.

The US also has hundreds of privacy and data security among its 50 states and territories, such as requirements for safeguarding data, disposal of data, privacy policies, appropriate use of Social Security numbers and data breach notification. California alone has more than 25 state privacy and data security laws, including the recently enacted California Consumer Privacy Act of 2018 (CCPA), effective January 1, 2020. The CCPA applies cross-sector and introduces sweeping definitions and broad individual rights, and imposes substantial requirements and restrictions on the collection, use and disclosure of personal information, which is very broadly defined as explained below.

In addition, the US Federal Trade Commission (FTC) has jurisdiction over a wide range of commercial entities under its authority to prevent and protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices. The FTC uses this authority to, among other things, issue regulations, enforce certain privacy laws and take enforcement actions and investigate companies for:

Failing to implement reasonable data security measures

Making materially inaccurate privacy and security representations including in privacy policies

Failing to abide by applicable industry self-regulatory principles

Transferring or attempting to transfer personal information to an acquiring entity in a bankruptcy or M&A transaction, in a manner not expressly disclosed on the applicable consumer privacy policy

Violating consumer privacy rights by collecting, using, sharing or failing to adequately protect consumer information, in violation of the FTC’s consumer privacy framework or certain national privacy laws and regulations

Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states.

As illustrated above, US privacy law is a complex patchwork of national privacy laws and regulations that address particular issues or sectors, state laws that further address privacy and security of personal information, and federal and state prohibitions against unfair or deceptive business practices. While this chapter provides an overview of US national and state privacy and security laws and highlights key aspects of such laws, these laws are too diverse to summarize fully. Further, US privacy law is currently in flux—in 2019, the California Attorney General will be issuing CCPA regulations and several other states are expected to pass significant privacy laws. While support is growing for a comprehensive, national privacy law that would supersede and preempt state privacy laws, it is unlikely such a law will be adopted in 2019.

Definition of personal data

Varies widely by regulation. The FTC now considers information that is linked or reasonably linkable to a specific individual, which could include IP addresses and device identifiers, as personal data.

The CCPA defines personal information as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition specifically includes contact information, government IDs, biometrics, genetic data, location data, account numbers, education history, purchase history, online and device IDs, and search and browsing history and other online activities, if such information is linked or linkable with a particular consumer or household. Under the law, consumer is broadly defined as any resident of California.

In contrast, state breach notification laws and data security laws typically define personal information more narrowly focusing on more sensitive categories of information, as described below.

Definition of sensitive personal data

Varies widely by sector and by type of statute.

Generally, personal health data, financial data, credit worthiness data, student data, biometric data, personal information collected online from children under 13, and information that can be used to carry out identity theft or fraud are considered sensitive.

For example, state breach notification laws and data security laws generally apply to more sensitive categories of information, such as Social security numbers and other government identifiers, credit card and financial account numbers, health or medical information, insurance ID, online account credentials, digital signatures, and/or biometrics.

The FTC has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas (eg, for telemarketing, commercial email, and children's privacy) and to take enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.

Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states.

In addition, a wide range of sector-specific regulators, particularly those in the healthcare, financial services, telecommunications and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their jurisdiction.

There is no requirement to register databases or personal information processing activities.

In 2018, Vermont passed legislation requiring data brokers to register with the secretary of state and adhere to minimum data security standards. Under the law a “data broker” is defined as a company that collects computerized, personal information of Vermont residents with whom the company has no direct relationship, and eithers sell or licenses that information.

In addition, several state laws require entities that engage in certain types of telemarketing activities to register with the state attorney general or other consumer protection agency.

US privacy laws and self-regulatory principles vary widely, but generally require pre-collection notice (eg, in a privacy policy) of information collection, use and disclosure practices, related consumer choices and company contact information, as well as an opt-out for marketing uses or disclosures of personal information.

Further, companies generally need to obtain opt-in consent prior to using, disclosing or otherwise treating personal information in a manner that is materially different than what was disclosed in the privacy policy applicable when the personal information was collected. The FTC deems such changes ‘retroactive material changes’ and considers it unfair and deceptive to implement a retroactive material change without obtaining prior, affirmative consent from all relevant individuals.

Under the CCPA (which applies to individual and household data about California residents and takes effect January 1, 2020), businesses must, among other things:

At or before collection, notify individuals of the categories of personal information to be collected and the purposes of use of such information

Post a privacy policy that discloses categories of personal information collected, purposes of use, categories of service providers and other third parties to whom information is disclosed or sold, and individual rights (eg, access, deletion, data portability) and how to exercise them, as well as other minimum requirements

A “do-not-sell my information” link and page where consumers can opt-out of the sale of their personal information (if applicable)

Where any personal information is disclosed to a third party for their own marketing use, a specific notice about such disclosure (eg, in a company’s privacy policy) must be provided and accessible through a special link on their homepage. Further, the law gives California residents to request a list of the personal information and third parties to whom such information was disclosed for marketing purposes in the prior 12 months

Whether the company honors any do-not-track mechanisms

Other states impose a wide range of specific requirements, particularly in the student and employee privacy areas. For example, a significant number of states have enacted employee social media privacy laws, and, in 2014 and 2015, a disparate array of education privacy laws. In addition, there a number of sector-specific privacy laws that impose notice obligations, significantly limit permitted disclosures of personal information, and grant individuals the right to access or review records about the individual that are held by the regulated entity.

Under the CCPA, prior to any sale of personal information, companies must provide individuals over 16 years old the right to opt-out, obtain prior consent from individuals ages 13 to 16, and obtain prior parental consent from individuals younger than 13. Sale is broadly defined to include selling, disclosing or granting access to personal information in exchange for any consideration or other thing of value. The CCPA also gives individuals broad access and data portability rights, as well as limited deletion rights and the right to obtain more detailed information about specific data collected, as well as disclosures of personal data by businesses.

No geographic transfer restrictions apply in the US, except with regard to storing some government information.

The US is a major point of storage of personal data. The US is presently considered an “adequate” destination for transfers of personal from the EU and Switzerland to recipients in the US who are certified to the EU-US and Swiss-US Privacy Shield principles and program, respectively. However, the legality of the EU-US Privacy Shield program is being challenged in a case that will eventually be heard by the Court of Justice of the European Union.

Most US businesses are required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information (eg, health or financial information, telecommunications usage information, biometric data, or information that would require security breach notification). A few states have enacted laws imposing more specific security requirements for such data. For example, Massachusetts has enacted regulations that apply to any company that collects or maintains sensitive personal information (eg, name in combination with Social Security number, driver's license, passport number, or credit card or financial account number) on Massachusetts residents. Among other things, the Massachusetts regulations require regulated entities to have a comprehensive, written information security program and set forth the minimum components of such program, including binding all service providers who touch this sensitive personal information data to protect it in accordance with the regulations. Massachusetts law includes encryption requirements on the transmission of sensitive personal information across wireless networks or beyond the logical or physical controls of an organization, as well as on sensitive personal data stored on laptops and portable storage devices. Some states impose further security requirements on payment card data and other sensitive personal information.

There are also a number of other sectoral data security laws and regulations that impose specific security requirements on regulated entities – such as in the financial, insurance and health sectors. Federal financial regulators impose extensive security requirements on the financial services sector, including requirements for security audits of all service providers who receive data from financial institutions. For example, the New York Department of Financial Services (NYDFS) regulations impose extensive cybersecurity and data security requirements on licensees of the NYDFS, which includes financial services and insurance companies. The national Gramm-Leach-Bliley Act and implementing regulations require financial institutions to implement reasonable security measures.

HIPAA regulated entities are subject to much more extensive data security requirements. HIPAA security regulations apply to so-called ‘covered entities’ such as doctors, hospitals, insurers, pharmacies and other healthcare providers, as well as their ‘business associates’ which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity. ‘Protected health information’ under HIPAA generally includes any personally identifiable information collected by or on behalf of the covered entity during the course of providing its services to individuals.

Internet of Things

California recently enacted the first US Internet of Things (IoT) legislation, effective January 1, 2020. Under SB 327, manufacturers of most IoT and Bluetooth connected devices will be required to implement reasonable security features ‘appropriate to the nature and the function of the device and the information the device may collect, contain or transmit’ and ‘designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.’

All 50 US states, Washington, DC, and most US territories (including, Puerto Rico, Guam and the Virgin Islands) have passed breach notification laws that require notifying state residents of a security breach involving more sensitive categories of information, such as Social Security numbers and other government identifiers, credit card and financial account numbers, health or medical information, insurance ID, tax ID, birthdate, as well as online account credentials, digital signatures and/or biometrics.

Under many state laws, where more than 500 individuals are impacted, notice is must also be provided to credit bureaus. Nearly half of states also require notice to state attorneys general and / or other state officials of certain data breaches. Also, some state data breach laws impose certain (varying) notice content and timing requirements with respect to notice to individuals and to state attorneys general and/or other state officials.

Federal laws require notification in the case of breaches of healthcare information, breaches of information from financial institutions, breaches of telecom usage information held by telecommunication providers, and breaches of government agency information.

The CCPA (effective January 1, 2020) also authorizes individuals to take a private right of action for statutory damages of between US$100 and US$750 per individual for data breaches resulting from a business’s failure to implement reasonable data security procedures (this applies to most categories of personal information under California’s breach notification law) – this raises significant class action risks.

In June 2018, Ohio became the first US state to pass cybersecurity safe harbor legislation. Under SB 220, a company that has suffered a data breach of personal information has an affirmative defense if it has ‘created, maintained, and complied with a written cybersecurity program that contains administrative, technical, and physical safeguards to protect personal information that reasonably conforms to an industry recognized cybersecurity framework’ (eg, PCI-DSS standards, NIST Framework, NIST special publications 800-171, 800-53, and 800-53a, FedRAMP security assessment framework, HIPAA, GLBA).

The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and fax marketing.

Email

The CAN-SPAM Act is a federal law that applies labeling and opt-out requirements to all commercial email messages. CAN-SPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. The FTC and state attorneys general, as well as ISPs and corporate email systems can sue violators. Knowingly falsifying the origin or routing of a commercial email message is a federal crime.

Text Messages

Federal and state regulations apply to the sending of marketing text messages to individuals. Express consent is required to send text messages to individuals, and, for marketing text messages, express written consent is required (electronic written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any text messaging (marketing or informational) program needs to be carefully reviewed for strict compliance with legal requirements.

Calls to Wireless Phone Numbers

Similar to text messages, federal and state regulations apply to marketing calls to wireless phone numbers. Prior express consent is required to place phone calls to wireless numbers using any autodialing equipment, and, for marketing calls, express written consent is required (electronic written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any campaign or program that involves calls (marketing or informational) to phone numbers that may be wireless phone numbers needs to be carefully reviewed for strict compliance with legal requirements. The definition of autodialing equipment is generally considered to, broadly, include any telephone system that is capable of (whether or not used or configured storing or producing telephone numbers to be called, using a random or sequential number generator.

Telemarketing

Beyond the rules applicable to text messaging and calling to wireless phone numbers, there are federal and state telemarketing laws as well. Federal telemarketing laws apply to most telemarketing calls and programs, and state telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing, such as calling time restrictions, do-not-call registries, opt-out requests, mandatory disclosures, requirements for completing a sale, executing a contract or collecting payment during the call, further restrictions on the use of auto-dialers and pre-recorded messages, and record-keeping requirements. Many states also require telemarketers to register or obtain a license to place telemarketing calls.

Fax Marketing

Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent. Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the recipient has not opted out of receiving fax advertisements and has provided their fax number ‘voluntarily,’ a concept which the law specifically defines.

The law also requires that each fax advertisement contain specific information, including:

A ‘clear and conspicuous’ opt-out method on the first page of the fax

A statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply with the request within 30 days is unlawful, and

A telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out requests 24 hours a day, seven days a week

Violations are subject to a private right of action and statutory damages, and thus pose a risk of class action lawsuits

There is no specific federal law that per se regulates the use of cookies, web beacons and other similar tracking mechanisms. However, the state online privacy laws require notice of online tracking and of how to opt out of it.

Under California law, any company that tracks any personally identifiable information about consumers over time and across multiple websites must disclose in its privacy policy whether the company honors any ‘Do-Not-Track’ method or provides users a way to opt out of such tracking; however, the law does not mandate that companies provide consumers a ‘Do-Not-Track’ option. The same law also requires website operators to disclose in their privacy policy whether any third parties may collect any personally identifiable information about consumers on their website and across other third party websites, and prohibits the advertising of certain products, services and materials (including alcohol, tobacco, firearms, certain dietary supplements, ultraviolet tanning, tattoos, obscene matters, etc.). Further, given the CCPA’s broad definition of personal information, information collected via cookies, online, mobile and targeted ads, and other online tracking are likely to be subject to the requirements of the law.

It is best practice for websites that allow behavioral advertising on their websites to participate in the Digital Advertising Alliance industry self-regulatory principles, which including principles for online behavioral advertising (OBA Principles), which includes principles of transparency and choice – users must be able to opt out of being tracked for behavioral advertising purposes. The DAA is expected to update its OBA Principles in light of the CCPA.

Minors

The Children’s Online Privacy Protection Act and regulations (COPPA) applies to information collected automatically (eg, via cookies) from child-directed websites and online services and other websites, online services and third party ad networks or plug-ins that knowingly collect personal information online from children under 13. COPPA also regulates behavioral advertising to children under 13 as well as the collection of geolocation information, requiring prior verifiable parental consent to engage in such advertising or collection.

California law requires that operators of websites or online services that are directed to minors or that knowingly collect personally identifiable information from minors permit minors that are registered users of their sites to remove any content the minor has posted from the site or online service. The law does not give minors the right to remove information posted by third parties. Minors must be given clear notice on how to exercise their right to removal.